Monday, March 31, 2014

In the course of running Suits and Spooks, I've had numerous requests from executives of various-sized companies regarding whether I've seen any exciting new security startups that look promising. I do from time to time, and I make those introductions whenever possible.

Then just last week, a colleague suggested that I consider hosting a security start-up happy hour for a future Suits and Spooks event. I considered it for about a week and then realized that rather than a happy hour, a speed "dating" lunch format might be the perfect way to bring a dozen or more promising security startups in front of directors, VPs, and CISOs in short 5 minute bursts.

A Speed Lunch, But Not For Dating

We'll use a selection process to identify startups who fall into various buckets (threat intelligence, data analytics, malware detection, etc.) and invite the top 20 to a private luncheon with decision-makers from mid-size and enterprise-level companies.

As a potential customer, you'll know before hand who the startups are and what they do, as well as their "vitals" (Management team, product description, date of formation, etc.) and then select up to 6 startups to meet with over a 60 minute lunch in 8 minute speed rounds.

As a selected startup, you'll have an opportunity to meet 1:1 with those people most important to your success: interested potential customers who have a need for your product.

Our inaugural event will happen soon at an exclusive venue in New York City or Washington DC. If you have a security startup company and want to participate, contact me today for more information.

Friday, March 28, 2014

Assumption of Breach is the only realistic network defense strategy that governments and corporations should have today. If you agree, then the next question you should ask is - what data can I not afford to lose?

Wednesday, March 26, 2014

HARVEY: What are your choices when someone puts a gun to your head?MIKE: What are you talking about? You do what they say or they shoot you.HARVEY: WRONG. You take the gun, or you pull out a bigger one. Or, you call their bluff. Or, you do any one of a hundred and forty six other things.- Harvey Specter and Mike Ross, Suits (Season one)

Ten days ago I was faced with too few registrations 30 days in advance of Suits and Spooks San Francisco. After multiple failed attempts to generate interest from my InfoSec contacts, I began to entertain the possibility that I wasn't going to attract enough registrations to warrant holding the event. Fortunately, as a die-hard "Suits" fan, I knew better! There are never just two options to consider, and there was no way that I was going to pull the plug on this event. I just had to "do any of 146 other things." Which I did. And with fantastic results.

Effective immediately, Suits and Spooks San Francisco is now Suits and Spooks Monterey; to be hosted by the Cyber Security Initiative at the Monterey Institute of International Studies (MIIS) where 18 or more speakers from Ukraine, Russia, Great Britain, Estonia and the United States will discuss the current Crimean crisis and global security risks to critical infrastructure on April 17-18 at Irvine Auditorium.

Dr. Itamara Lochard, the director of the Cyber Security Initiative and Dr. Amy Sands, MIIS' provost, have enthusiastically embraced the Suits and Spooks conference model as well as our Russia-Ukraine focus.

In retrospect, the lack of interest from one group has opened the door to an incredible opportunity not only for this event in April but for future collaborative events with the MIIS Cyber Security Initiative!

Saturday, March 22, 2014

Today's New York Times article "NSA Breached Chinese Servers Seen As Security Threat" reveals an NSA operation called SHOTGIANT that created backdoors into Huawei servers which allowed them to spy on company communications. This is, of course, precisely what the U.S. government has accused Huawei of doing to the U.S. The unfortunate difference is that now we've been caught at it and Huawei hasn't. This doesn't mean that Huawei has never done such a thing. As the saying goes, lack of evidence isn't necessarily evidence of lack. What it does mean, however, is that the White House, Congress, policymakers and National Security advisors need to stop saying stupid shit like this:

“We do not give intelligence we collect to U.S. companies to enhance their international competitiveness or increase their bottom line. Many countries cannot say the same.” - Caitlin M. Hayden, White House spokeswoman

When it comes to national security, there is nothing that will prevent the U.S. government from acting in its own self-interest, because that is precisely what nation states do. If there was such a thing as state-owned enterprises in the U.S., like they have in China, Russia, and France for example, I have no doubt that the NSA would be the best in the world at stealing intellectual property to benefit U.S. SOEs. The only reason why the NSA doesn't do it is because we don't have any!

It seems like no one knows exactly what is contained in Snowden's documents, but perhaps a good rule of thumb would be to give up the strategy of invoking a moral high ground. As far as espionage goes, we don't have a leg to stand on. The NSA will do what it is tasked to do. So will China's MSS, Russia's FSB, and every other spy agency in the world.

A better strategy would be to find ways to encourage China to develop a body of intellectual property law and create MLATs between U.S. and Chinese law enforcement to help them catch hackers who are attacking Chinese government websites. There's a lot of value to be gained in understanding and identifying independent mercenary hacker groups operating within China's IP space because they don't only target Chinese websites. To put it as simply as possible - our current strategy on Chinese cyber espionage activities has not only had ZERO effect, it has made us look ineffective and hypocritical. It's time for a change.

Tuesday, March 18, 2014

Chances are good that you haven't heard of S&TI. It's not one of the INTs that IC watchers love to write about. It's not in vogue like SIGINT and it's definitely not as sexy as HUMINT. It is, however, what I and my fellow researchers at Taia Global have been engaged in since 2010 and thanks to the excellent work of the National Commission for the Review of the Research and Development Programs of the United States Intelligence Community, it has become part of the Intelligence Authorization Act for 2014 (S. 1681) as drafted by the Senate Select Committee on Intelligence. And the Committee has tasked DNI Clapper to investigate and craft a strategic plan for improving how the Intelligence agencies conduct Science and Technical Intelligence (S&TI) on foreign R&D.

The Commission also highlighted the IC’s inability to understand, let alone bring coherence to, the efforts of its various elements against foreign science and technology (known as S&TI). S&TI informs not only IC R&D investment decisions, but also policymakers’ decisions about what capabilities to develop. The IC’s R&D and S&TI capabilities are only growing in importance given the pace and scope of change in technology and the threat environment.
Therefore, within 180 days of enactment, the DNI, in conjunction with the Under Secretary of Defense for Intelligence (USD(I)), shall provide a Zero Based Review to the congressional intelligence committees. This Zero Based Review shall include the following:

The identification of total financial investments for R&D functions and programs allocated across the NIP and Military Intelligence Program (MIP), and their relationship to investments at other U.S. Government departments and agencies;

An explanation of the requirements process for S&TI across the IC, including identifying similarities and differences in procedure and nomenclature across the various agencies and elements;

A review of current organization, to include IC leadership and management of R&D and S&TI efforts across the IC and within each agency, for how the IC attains synergies and unity of effort, and how it avoids unnecessary duplication of R&D.

The Committee also believes a strategic plan for R&D and S&T is essential to meeting the challenges of a globalized, interconnected world. The rapid diffusion of science and technology across the globe provides state and non-state actors with new opportunities to develop asymmetric advantages, increasing the risk of strategic surprise to the U.S. Government. From advanced manufacturing to advanced biometrics, we cannot take for granted legacy superiority in technology and expect the United States to maintain its competitive edge. The unique nature of science and technology requires a renewed commitment from senior leaders within the IC, especially at a time when neither R&D nor S&TI attracts sufficient prioritization from policymakers in the executive and legislative branches of government.

Therefore, the Committee directs the DNI, in conjunction with USD(I), to append a Strategic Plan to the Fiscal Year 2015 congressional budget submission. The plan shall include both the NIP and MIP. The Strategic Plan must include mechanisms to:

Establish robust leadership, unity of effort, and an emphasis on R&D issues;

Establish an executive agent within the IC for S&TI;

Better align R&D investments across the IC in order to avoid unnecessary duplication and to achieve synergies among R&D efforts across the NIP and MIP;

Develop partnerships with, and leverage talent from, academia and industry, especially smaller, innovative firms that may not traditionally collaborate or contract with the U.S. Government (emphasis added), and an R&D reserve corps to supplement the IC’s expertise as needed;

Increase policymakers exposure to global R&D trends that could affect U.S. national security or undermine the U.S. Government’s R&D efforts (emphasis added);

Leverage the foreign scientific and technical talent increasingly available to U.S. academic institutions and businesses.

We are 75 days away from our alpha release of REDACT, the world's first commercial Rival State R&D search engine and we're looking to engage with five alpha corporate customers in the industry sectors of aerospace, banking, or energy, or any enterprise-level security operations team. As an example of the extent of our database, here's a 50,000 foot view of our China silo captured two weeks ago. If you aren't used to Prezi, just click your mouse to zoom in or click and drag your mouse to move around the image.

For more information, request our REDACT information sheet. We are only accepting five alpha customers so act soon.

Sunday, March 16, 2014

The ongoing conflict between Russia and Ukraine over Crimea and its implications for defining cyber warfare is a watershed moment for everyone concerned with issues of sovereignty, warfare, hacktivism, and security. For that reason, I've dedicated a significant portion of our Suits and Spooks San Francisco agenda to exploring those issues with some of the best subject matter experts in the country including Professor Anna Vassilieva of the Monterey Institute of International Studies.

Tomorrow's computer security engineers and data analysts may be well prepared to handle the technical demands of their job but it's doubtful that they'll understand the national security implications that a borderless Internet and global social media presence have created.

To that end, I'd like to offer up to 30 computer science and political science students from Northern CA colleges and universities an opportunity to come to Suits and Spooks San Francisco for free if we can find individuals or companies to sponsor them. If you'd like to have your name or your company's name on a free pass to a Stanford, Berkeley or Monterey Institute of International Studies student, here's how to do it.

Saturday, March 15, 2014

"We KiberBerkut declare that today at 18:00 we launched an attack on NATO resources:

On March 15, 2014 Cyber Berkut (KiberBerkut) launched a DDoS attack against these NATO websites:

http://ccdcoe.org

http://nato.int

http://nato-pa.int

Those who favor Ukrainian independence and closer ties with the EU would have no reason to attack NATO. Cyber Berkut, as it turns out, doesn't belong to that group. They are staunch supporters of the former President Viktor Yanukovych who fled to Russia last month and they hate Yulia Tymoshenko who was freed from prison on Feb 22. Cyber Berkut has also called for the release of 70 Pro-Russian activists and Governor Pavel Gubarev in the city of Donetsk.

Cyber Berkut's website has claimed responsibility for launching attacks which interfered with mobile phone service for "neo-fascist groups" which support the revolution, and they've hacked about 100 or more Ukrainian websites since they began on March 3, 2014.

Cyber-Berkut.org is hosted in San Francisco by CloudFlare and the WHOIS data is privacy-protected.

Source: Robtex

The choice of the word "Berkut" may give a clue as to who's behind the group's activities. Berkut is the name of a special police force within the Ministry of Internal Affairs who used terrorist tactics against anyone who threatened Yanukovych's Presidency, especially those who supported the Euromaiden revolution . Translated, Berkut is golden eagle, which figures prominently on the Berkut logo as well as the logo used by Cyber Berkut. Notice the similarity between the two (Berkut Special Police is on the left):

Cyber Berkut (@cyberberkut1) is not the only pro-Russia "hacktivist" group working against Ukrainian independence. Anonymous Ukraine (@FreeUkraineAnon on Twitter) is another. In fact, they attacked the NATO Cooperative Cyber Defense Center of Excellence (CCDCOE) website back on November 7, 2013 as well as Estonia's Ministry of Defense website (Estonia is where the CCDCOE headquarters are).

On March 14, the Voice of Russia announced that Anonymous Ukraine has obtained emails from US Army Assistant Army Attaché Jason P. Gresh to a senior official of the General Staff of the Ukrainian Army named Igor Protsuyuk which describe a U.S. false flag attack against Ukraine:

By tomorrow, the 15th of March 2014, the United States, through its agents in Ukraine, will begin a series of false flag attacks on targets in Ukraine which have been designed to make it look as if they were carried out by the Special Forces of the Russian Federation.

The article then goes on to reprint the text of three emails. The one that Gresh supposedly wrote reads like it came out of a Matt Helm spy movie from the 60s:

Ihor,
Events are moving rapidly in Crimea. Our friends in Washington expect more decisive actions from your network.
I think it's time to implement the plan we discussed lately. Your job is to cause some problems to the transport hubs in the south-east in order to frame-up the neighbor.
It will create favorable conditions for Pentagon and the Company to act.
Do not waste time, my friend.
Respectfully,
JP
Jason P. Gresh
Lieutenant Colonel, U.S. Army
Assistant Army Attaché
U.S. Embassy, Kyiv
Tankova 4, Kyiv, Ukraine 04112
(380-44) 521 - 5444 | Fax (380-44) 521 – 5636

Back to Cyber Berkut - considering the group's strong pro-Russia position, it came as a surprise when I read one journalist after another repeat the claim that Cyber Berkut attacked 40 Russian websites. There's no mention of any attacks against Russian websites at Cyber-Berkut.org, nor would any such attacks make sense. The group is pro-Russian, just like Yanukovych.

This is a textbook example of how Anonymous with its anarchist framework ("we are all Anonymous") can be easily co-opted to support the political agenda of a nation state while appearing to be an opposition movement. And how some journalists who rush to get a story out without doing any fact-checking can perpetuate the hoax.

A careful study of the ongoing Russia-Ukraine conflict including the creation and use of hacktivist groups by one or more security services is essential for cyber warfare researchers, practitioners, lawyers, and policymakers. That's why I've invited Professor Anna Vassilieva: Director, Russian Studies Program, Monterey Institute of International Studies and other regional experts to speak at Suits and Spooks San Francisco in April. Anna's topic is "Russia and Ukraine: What's True and What's New". As we've seen with Cyber Berkut and Anonyumous Ukraine, the truth doesn't come that easy.

Thursday, March 13, 2014

Gartner analyst Ben Tomhave published his RSA 2014 Round-up and here is his assessment of the RSAC boycott:

As an aside, it should be noted that the planned protests had no real perceived impact on the event, which is rumored to have had attendance in the 25-30k range (I’m waiting on “official” numbers from RSA). Yes, the Vegas 2.0 crew did run their awareness event on the Wednesday of RSA, and some people were handing out pamphlets around the event, but really, that was about all that people noticed. I spoke to several people who planned to attend the competing TrustyCon event, but most of those people also were RSA speakers or attendees. Basically, the protests seemed to amount to much adieu about nothing…

It should be noted that Ben was never a supporter of the protest. In fact, he accused me and other speakers who withdrew of "whiny grandstanding" so his assessment of the effects of the boycott is understandable if not predictable. However, the biggest error that he made in his assessment is that he missed the point, much like Bruce Lee's student in this clip from Enter the Dragon:

Just like the student who stared at Bruce Lee's finger instead of the heavens, Ben and many other folks who objected to an RSAC boycott confused the action (the boycott) for the target (RSA, not RSAC). Boycotting RSAC was the finger. RSA's poor judgment around Dual EC DRBG was what the finger was pointing at.

To that end, the boycott was successful because it raised awareness about exactly what happened between the NSA and RSA, and because it forced RSA Executive Chairman Art Coviello to spend much of his keynote attempting to convince his customers that RSA was an innocent victim that the "bad" NSA took advantage of. RSA is truly awful in crisis management.

Most importantly, RSA Security has even less credibility among existing and potential customers than ever before. There's an object lesson in there somewhere for CEOs and their boards who continually choose to sacrifice security on the altar of profitability.

Wednesday, March 12, 2014

Yesterday, Aleks Gostev wrote a very informative article about the similarities between four pieces of malware: Red October, Turla (aka Snake, Uroborous), Flame/Gauss, and Agent.btz.

It's a carefully crafted piece that doesn't leap to conclusions without sufficient evidence; something that I've praised the members of Kaspersky's Global Research and Analysis Team for many times. In fact, many U.S. security companies who are competitors of Kaspersky Lab could learn a lot from the manner in which GReAT researchers write their reports.

One of the things that was new to me about Agent.btz was that ThreatExpert included an alias for it named Voronezh.1600. Aleks pointed out that it may be a reference to the "mythical Voronezh school of hackers, in Russia."

That made me laugh because I wrote about the Voronezh Hacking School in the 2nd edition of my book "Inside Cyber Warfare". In fact, there's an entire chapter dedicated to Russia's information security framework including universities and research institutes who are engaged in information security/warfare training, research and development.

While it's true that there's scant evidence about the existence of a Voronezh Hacking School, there's certainly enough to not label it a "fantasy". In fact, it was a Russian public television program that kicked things off about the existence of such a place with a segment on the Voronezh Military Radio-electronics Institute in June, 2001.

Here's a recap from my book:

In June 2001, Russian Public Television ORT presented a segment on the Voronezh Military Radio-electronics Institute. The ORT correspondent stated that the institute started a secret school devoted to information security in 1997 and another secret school devoted to information warfare. The information warfare school began training professional hackers for the military in 2001. Both schools were located in the Department of Automatic Control Systems.

The Voronezh Military Radio-electronics Institute has been re-organized twice in the last five years. In 2006, the institute merged with the Voronezh Aviation Engineering School to form the Voronezh Aviation Engineering University. In 2008, President Putin signed Russian Federation Order No. 1951 that further restructured military higher education and established the Military Aviation Engineering University at Voronezh. The order authorized the University 15,092 total civilian and military personnel. According to a May 2009 article in a Voronezh paper, the University is expanding with the cadet body growing from 4800 to 6500. The Voronezh paper interviewed University head Major-General Gennadiy Zibrov who detailed further expansion plans.

The restructured University almost certainly includes the two secret schools covering information security and information warfare. The University’s current web site shows departments for Electronic Warfare and Electronic Warfare (Information Security). The five year program in Electronic Warfare (Information Security) leads to designation as Specialist Data Protection for both the military and “law enforcement agencies.”

The Voronezh Military Aviation Engineering University (VAIU) continues to engage in research and development in the area of electronic warfare as well as aviation armament, system maintenance and other related projects.

Even if the producers of ORT's 2001 television program got their facts wrong about a "military hackers school", there's certainly no shortage of Russian universities that teach how to attack and defend networks. For example, we recently discovered three textbooks used at Bauman Moscow State Technical University's Dept. of Information Security. Here's the table of contents for "Countering Cyber Attacks: The Technological Bases:

"CIS" stands for Critical Information Systems. The program teaches both offensive and defensive methods.

"The increasing pace and adoption of global scientific and technological discovery heighten the risk of strategic or tactical surprise and, over time, reduce the advantages of our intelligence capabilities. To counter these effects, the strategy of the IC first must be to seek global knowledge of—as well as influence over and access to—R&D developments.”

To that end, we are converting our database of Russian and Chinese R&D in the areas of information security, aerospace, and other key areas into an easy to use R&D search engine. If you'd like more information about our alpha-stage product, please contact us. We have a few limited opportunities for alpha customers.

Saturday, March 8, 2014

Russia's latest offensive against Ukraine over Crimea has revealed how little Russian expertise the U.S. has (see this New York Times article) as well as the failure of the U.S. Intelligence Community to anticipate Russian military actions against Georgia in 2008 and Ukraine in 2014 (See former DCI Michael Hayden here).

I've worked closely with a recently retired Russia analyst from the IC for the past six years and he has confirmed to me that since the end of the Cold War, Russia has never been a high priority for U.S. policymakers. Indeed, no one has wanted to be bothered by potentially problematic briefings about Russia.

You can see the end result of that knowledge gap in just about every article that has come out recently describing Russia's "Cyber Playbook". They all describe the same tactics that I and other researchers have written about six years ago. Unfortunately, Russia's past tactics in Estonia and Georgia do not even come close to adequately describing their tactical options with Ukraine. Here's a few reasons why:

No more Nashi
In 2008, the Russian government had been fostering and financing the Nashi youth organization for the past three years. Nashi members were involved in the Estonia cyber attacks of 2007, Georgian gov't websites in 2008 and targeted individual Georgian supporters in 2009. Today, the Nashi as it existed under Vladislav Surkov and Vasily Yakemenko is no more. And the same could be said for Surkov and Yakemenko thanks to Putin after he replaced Dmitry Medvedev as President.

Russian hackers aren't all supporting the Russian gov't on Ukraine
Back in 2008, Russian hacker forums were actively recruiting volunteers for attacks against Georgia. Not so today. In fact, I've been told that many Russian hackers are angry with Putin and are supporting their Ukrainian friends. Others, like @Rucyborg on Twitter, are trying to embarrass the Putin administration by breaching servers that contain sensitive information about the dealings of the Russian government such as this incident reported by the Hindustan Times.

New Russian Military Doctrine published in 2010
Russia published its 2010 military doctrine which acknowledged the "intensification of the role of information warfare" and assigned as a task to "develop forces and resources for information warfare."

Funding for dual-use Information Security R&D
Since 2010, Russia like the U.S., China and other countries has made dual use information security research and development a top priority at dozens of top research institutes and universities. Such research includes but isn't limited to:

Russian Military and Security Services Hacker Training
At least twelve institutes provide world-class instruction to their graduates in dual use information security and electronic warfare technologies, who are then hired by the Security Services and Ministry of Defense for offensive and defensive operations. Some of those institutes are included in the below graphic which was Taia Global's depiction of Russia's cyber security organization in 2011.

Copyright 2011 Taia Global Inc. All Rights Reserved

My point with this article is not to say that the Russian government doesn't still have the capability to use proxies the way that it did in 2008 and before. I'm sure that it does, however it has invested large sums of money to give its military and security services capabilities that are far beyond what they had in 2008. If you want to properly assess a threat, you need to understand your adversary's intent, capability and opportunity. The U.S. government has not kept current on Russian technical advancements which means that we cannot estimate capability accurately. In fact, the National Commission for the Review of the Research and Development Programs of the U.S. Intelligence Community. released its findings late last year after a two year study and its very first finding was:

The Commission found a limited effort by the IC to discern and exploit the strategic R&D—especially non-military R&D—intentions and capabilities of our adversaries,and to counter our adversaries‘ theft or purchase of U.S. technology.

Bottom line: We can't afford to continue to belong to the "Mile-wide" club when it comes to Russian capabilities. We need to do better.

Thursday, March 6, 2014

Until now, the only example of cyber warfare where cyber was a component of a military invasion has been the Russia-Georgia war of August 2008. Today, we are seeing cyber attacks play a significant role in the increasing tension between Russia and Ukraine.

Russian hackers who are sympathetic to the Ukrainian people have just leaked 1,000 documents related to the operations of Russian defense contractor Rosoboronexport and are promising to leak more data from other Russian companies.

A Russian contact has told me that a member of Putin's Cabinet has authorized cyber mercenaries to hack into WiFi and telecommunications services in Ukraine to collect credentials and install malware on mobile phones.

Reuters reported the head of Ukraine's Security Service Valentyn Nalivaichenko as saying "I confirm that an IP-telephonic attack is under way on mobile phones of members of Ukrainian parliament for the second day in row."

Korsun Konstiantyn, head of the Ukrainian Information Security Group has been attempting to form a civilian cyber defense force in anticipation of a military action by Russia. He posted the following message to his LinkedIn group: "In connection with the Russian military intervention against Ukraine ask everyone who has the technical ability to resist the enemy in the information war, contact me in PM and be ready for battle. Will communicate with the security forces and to work together against an external enemy."

My contact has informed me that the SVR will be involved in cyber attacks against Ukrainian targets. And it would certainly utilize graduates from the Voronezh Hacking School, a secret school that's part of the Voronezh Military Radio-electronics Institute; an organization that Taia Global reported on in 2011 and continues to monitor.

The Russian military and security services are well-equipped and trained to engage in offensive cyber operations ranging from social media manipulation and control to targeting automatic systems (i.e., industrial control systems) from an airborne platform.

Due to the importance of this conflict, I've decided to allocate a large portion of our Suits and Spooks event in April to expert discussion on the cyber and kinetic components of the Russia - Ukraine conflict. Speakers will include Kos Konstiantyn (quoted above) via Skype, Dr. Anna Vassilieva,Director, Russian Studies Program at Monterey Institute of International Studies, and other to be invited guests.

Tomorrow I'll be participating on a panel at the Harvard International Law Journal Symposium to speak on this issue and the question of when cyber attacks rise to the level that justifies armed response. I should have the Suits and Spooks website updated with our Russia-Ukraine intensive by this weekend. Please feel free to contact me with any questions or if you have information to share.